Columns List

Action—not all actions are shown on all Sections:

oAdded To Rule








oDownload Ready

oDownload Retry

oDownload Start




oMarked as Unresolved

oMarked as Resolved

oMarked as Unsafe

oMarked as Safe

oMarked as Inspected

oMarked as Uninspected


oPriority Changed


oRemoved From Rule



oState Changed



oDownload SysInspector Log




Agent Version—version of EEI Agent deployed on that particular computer

Alerts—shows the number of ESET PROTECT related alerts (outdated endpoint, etc.)

Assignee—the name of the assignee of the report

Author—who's the author (name of the currently logged User at the time of creation or edition)

Avg Received Events/24h—shows the average number of received events during 24 hours

Avg Stored Events/24h—show the avarage number of stored events during 24 hours. This number depends on the Server settings and Data Retention and Data collection setting

Blocked—shows whether the executables hash was blocked or not

Blocked Url—shows the URL of the blocked detection if applicable


οPersistence—rules that monitor different kinds of persistence in the system (for example autorun registry, new files in %startup% folder, etc.)

οRegistry - altering security features—rules that monitor security-settings in the registry (for example exclusions in the firewall, etc.)

οFile system—rules that monitor suspicious file operations (for example writing in ADS, creating autorun.inf, etc.)

οSuspicious process creation & process manipulation—rules that monitor manipulation with processes (for example termination of processes through the command line, the process started from recycle bin, etc.)

οCommunication—rules that monitor suspicious network communication (for example new connections, connections to the known bad servers, etc.)

οFilecoders—rules that monitor behavior typical for different file coders (ransomware)

οWeb browser related—rules that monitor web browser related things (for example Nova extensions)

οOffice—rules that monitor Microsoft office related things (for example Word started the new process)

οRemote desktop/Remote access—rules that monitor Remote Desktop settings ( for example change of default port)

οSuspicious system configuration/Removing evidence—rules that monitor system configuration/settings ( for example deleting logs, turn off logging, setting a lower level of security in the system, and other suspicious settings)

οCreated from filter—this rule was created in Executable tab by using preset called Save filters as rule

οUser can define a custom category when creating custom rules. This can be done in the tag <category>Default</category>

Cleaned—if the file was cleaned, when the hash was added or by clicking Clean & Quarantine button in the bottom of the window

Command Line—command line filename

Command Line Length—length of the command line command (Count of characters)

Comment—if the user added a comment it would be shown here

Company Name—company that produced the executable, for example, "Microsoft Corporation" or "Standard Microsystems Corporation, Inc."

Computer—shows detections by computer name. Select equal/unequal to include/exclude specific name. In Scripts tab, shows the name of the computer, where the detection triggered

Computers—shows the number of computers that the reporter created the report for

Count—if the ungrouped type of detections is selected, this column is not visible

Create Time—shows the time of creation of the report

Created—the time when was the task created

Creation Date—the date when the exclusion was created

Criteria—what criteria was used for the exclusion (File name, Signer, Computer etc.)

Details—provides more details on an Alert taken from ESET PROTECT if applicable

Description—the description of the computer, taken from ESET PROTECT. In Incidents allows filtering by the description provided by the reporter

Detections—the number of Detections triggered by this task

DNS events—total number of DNS events, that the specific executable triggered

Enabled—shows status of the rule/exclusion. Enabled or disabled

Ended—sort by the time, when the process was terminated, caused by this process

Endpoint Version—version of Endpoint installed on that Computer

Events / 24h—total amount of events within 24 hours

Executable—sort by executable name

Executables—shows the number of executables that the report contains

Executable Drops—the number of dropped executables made by this executable

Executed on Computers—the number of computers on which the file was executed

Executions—how many times this EXE file was executed on all computers

File Description—the full description of the file, for example, "Keyboard Driver for AT-Style Keyboards"

File Modifications—how many files were modified (written to, deleted, renamed)

File Version—version number of the file for example, "3.10" or "5.00.RC2"

Filter Name—sort by the name of the event filter

First Executed—when was executable first executed on this computer

First HTTP Request—sort by the source HTTP address, if the script access the network

First Child Module Name—sort by the child process name

First Seen—when an executable was first seen on any computer

First Seen (LiveGrid®)—when an executable was first seen on any computer connected to LiveGrid®

FQDN—fully qualified domain name,  is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS)

From Date—filter by the date when the task started

Full Name—users full name, if available from Active Directory

Group—the name of the group of computers a specific computer belongs to

HTTP events—total number of HTTP events, that the specific executable triggered

Hit Count—count of detections that were excluded by this exclusion

Information—total count of unresolved informational detections on computer

Information(Unique)—count of unique unresolved informational detections on computer

Inspected—if the executable is marked as inspected by the user. You can mark it as inspected, using the button Executables_Inspected_Button or to mark as uninspected using Executables_Uninspected_Button at the bottom of the screen

Integrity Level—Represented by the arrow in process tree, the grid of Detections tab, and everywhere where the process name is present
These levels are present:

oUntrusted—Blue arrow downIntegrity_blue, blocks most write access to a majority of objects

oLow—Blue arrow downIntegrity_blue, blocks most write access to registry keys and file objects

oMedium—No icon, this is the default setting for most processes when UAC has been enabled on the system

oHigh—Red icon upIntegrity_red, most processes will have this setting if UAC is disabled and the currently logged on user is the administrator

oSystem—Red icon upIntegrity_red, this is a setting reserved for system level components

oProtected process—Red icon upIntegrity_red, is used by some anti-malware services, only allows trusted, signed code to load and has built-in defense against code injection attacks

Internal Name—internal name of the file, if one exists, for example, an executable name if the file is a dynamic-link library. If the file has no internal name, this string is the original filename, without extension

Isolated from Network—shows if the computer was isolated from network (only connections between ESET security products are available)

Job Position—users job position, if available from Active Directory

Last Change Date—the date, when the object was changed the last time

Last Change Type—what was the last change of the object (for example, marked as resolved, change of the priority)

Last Changed By—which user was the last one to change the object

Last Connected—permanent connection created to listen on notification about blocked hashes, requests to download some file, kill the process, etc. Refresh interval is 90 seconds

Last Edit—time when the rule was last edited. Only Custom rules can be edited.

Last Event—this is the timestamp of the last event sent to the server. So the time when this event occurred on the computer, not when it was sent to EIServer

Last Executed—when was executable executed last time on any computer

Last Status Check—when was the last time, when the server get the status from particular computer

Last Update—shows the time of the last update of the report

MITRE ATT&CK™ TECHNIQUES—if the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE it is shown here, otherwise none

Nearmiss Report—if the detection triggered due to malware, but we can't hundred percent guarantee it is a malware

Network Connections—the number of network connections made by this file

Occured—shows the time of the alert occurence

Occurred Time—shows reports by the time of occurrence. Select earlier than or later than, and the desired time range

Original File Name—the original name of the file, not including the path. This information allows an application to determine whether a file has been renamed by a user. The format of the name depends on the file system for which the file was created

OS platform—what is the bit version of the operating system that is running on the particular computer:



OS version—version of the operating system on that particular computer:

οmacOS 10.15

οmacOS 10.14

οmacOS 10.13

οmacOS 10.12

οWindows 10

οWindows 8.1

οWindows 8

οWindows 7

οWindows Vista

οWindows XP 64- Bit Edition

οWindows XP

οWindows Server 2019

οWindows Server 2016

οWindows Server 2012 R2

οWindows Server 2012

οWindows Server 2008 R2

οWindows Server 2008

οWindows Server 2003

Parent Module Name—sort by the parent process name

Packer Name—the name of packer if an executable is packed

Parent Process Name (ID)—the name and ID of the parent process, if applicable

Parent Process SHA-1—hash of the parent process, if applicable

Parent Process Signature Type—information whether the parent process's file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Parent Process Signer Name—if the parent process's file is signed, here you can see the signer of the file

Path(s)—path to the specific executable

Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®. For a detailed description, click here

Primary Object—info about the main object of a user action, i.e. (detection info in case of resolve action, computer name in case of sync, etc…)

Priority—No Priority, Priority 1 Alarm_Priority_1, Priority 2 Alarm_Priority_2, Priority 3 Alarm_Priority_3

Process Name (ID)—sort by process name or by its ID

Problem—the name of the problem that caused the alert on that particular computer, caused by Product

Processes—shows the number of processes that the report contains

Product—the name of the product that caused the alert (ESET PROTECT alert) on that particular computer

Product Name—the name of the product with which the file is distributed

Product Version—version of the product with which the file is distributed, for example, "3.10" or "5.00.RC2"

Progress—shows the progress of the started task. If completed the progress bar is green, if running, pause, pending, part of the progress bar is blue (depending on the progress percentage)

Received Events From Today—shows the number of events occured on the parcituclar computer since midnight

Registry Modifications—how many registry entries were modified

Reputation (LiveGrid®)—is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

Resolved—in case of detection tab, shows whether the detection is marked as Resolved Alarm_Resolved. This status can be changed via buttons at the bottom of the window Alarms_Details_Resolved_Unresolved. In the case of the computers tab, shows the total count of resolved detections on the computer with no regard on the severity

Resolved Detections—total count of resolved detections on the specific computer with no regard to severity

Rule—sort by rule name

Rule Name—the name of the rule (Default or Customized)

Rules Count—count of the rules used in the exclusion

Rules Names—names of the rules that were used in the exclusion

Safe—shows if the executable was marked as safe

Scanner—what type of Endpoint scanner did prevent the potential threat

Secondary Object—in case of task 'state change' shows its state (running, pendning, etc.)

Section—in which section of EEI was the action taken:











Seen on Computers—the number of computers on which the file was discovered

Sent Bytes—total number of bytes sent by this file, from all computers, all processes

Severity—Threat Alarm_Severity_Threat, Warning Alarm_Severity_Warning, Info Alarm_Severity_Info

Severity Score—a more precise definition of severity. 1-39 > Info Alarm_Severity_Info 40-69 > Warning Alarm_Severity_Warning 70 - 100 > Threat Alarm_Severity_Threat

SFX Name—self-extracting archive type, if an executable is packed

SHA-1—hash of the executable

Signature CN #1—for macOS only. Same as product name column for windows.

Signature CN #2—for macOS only. Same as file version column for windows.

Signature CN #3—for macOS only. Same as product version column for windows.

Signature CN #4—for macOS only. Same as internal name column for windows.

Signature CN #5—for macOS only. Same as original file name column for windows.

Signature Id—for macOS only. Same as company name column for windows.

Signature Type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signer Name—if the file is signed, here you can see the signer of the file

Started—sort by the time, when the process was executed, caused by this process

Status—Threat Alarm_Severity_Threat, Warning Alarm_Severity_Warning, Info Alarm_Severity_Info, Ok Executables_Status_Ok. In case of Alarms tab, the status describes the state of the ESET PROTECT alert. In case of Tasks tab, these four possible statuses are shown:




oPending—for performance reasons the maximum amount of running tasks at once is set to 10, so all other tasks over 10 have status pending. This limit will be configurable in the future releases

Status Score—more precise presentation of the Status (1-39 -> Info, 40-69 -> Warning, 80-100 -> Threat)

Stored Events From Today—number of computer events since midnight

Subproduct—the name of the subproduct connected with the Product (ESET PROTECT)

Tags—list of all tags assigned to this object/report

Task Name—if the detection was triggered by running the task from Tasks tab

Threat Handled—shows whether an action was taken against this detection

Threat Name—the name of the threat, that can be found in this list

Threats—total count of unresolved threat detections on computer

Threats(Unique)—count of unique unresolved threat detections on computer

To Date—filter by the date when the task ended

Trigger Event—what was the trigger of the particular detection

Triggered Time—shows reports by the time of triggering. Select earlier than or later than, and the desired time range

Unresolved—total count of unresolved detections on computer

Unresolved Detections (Unique)—total count of unique unresolved detections on the specific computer

Unresolved(Unique)—count of unique unresolved detections on computer

URI—the URI(uniform resource identifier) which caused this detection to trigger

User—which user performed the action

User Department—users department, if available from Active Directory

User Description—users description, if available from Active Directory

User Id—for macOS only. Same as file description column for windows.

Username—the user account that was logged on the computer at the time of detection trigger

Valid—when you save a rule with the wrong syntax, it gets an invalid tag

Warnings—total count of unresolved warning detections on computer

Warnings(Unique)—count of unique unresolved warning detections on computer

Whitelist Type—information if an executable is whitelisted:

oCertificate—the executable is whitelisted because it is signed by the trusted certificate

oLiveGrid®—the executable is whitelisted because the trustworthiness of the file was confirmed by ESET

% of total events—percentage of total events of the particular executable